Node.js Constant Hashtable Seeds Vulnerability FAQ

Issue

This document covers additional questions about the Node.js Constant Hashable Seeds vulnerability announced on July 11, 2017.

Resolution

How do I determine which apps are vulnerable?

You should have received an email that contains a list of applications that are vulnerable according to our records. Please search your email for "[ACTION REQUIRED] Follow-up: Node.js security update on Heroku".

Most Node.js apps are vulnerable. To check which apps are Node.js apps, you can check your Heroku Dashboard. You will need to separately view any teams or organizations of which you are a member.

To check the version in use for a particular app, run:

$ heroku run node -v -a APPNAME

What versions do not contain the vulnerability?

The following versions of Node.js have been patched and are available on Heroku.

4.8.4
6.11.1
7.10.1
8.1.4

Are 0.10.x, 0.12.x and 5.x version vulnerable?

Any version aside from the versions above are vulnerable.

0.10.x and 0.12.x are vulnerable, however, no patch exists for these versions. The Node.js press release notes this as follows:

The 0.10.x and 0.12.x release lines are also vulnerable to the Constant Hashtable Seeds vulnerability. We recommend that users of these release lines upgrade to one of the supported LTS release lines.

5.x is an unsupported developer version, and does not fall into LTS release line, and thus is not covered by the CVE. However, we believe this version is also vulnerable, so it is best to upgrade to an LTS release.

How do I patch my app?

Review your package.json file. You need to assure your engines section specifies a version that is not vulnerable: 4.8.4, 6.11.1, 7.10.1, or 8.1.4. If you do not specify a version, 6.11.1 will be used automatically. Please see Specifying a Node.js version for details.

Upgrading fails due to some dependencies. How can I upgrade?

If you do not use a lockfile, Node.js dependencies do not pin to specific versions, and so the version of dependencies your app uses may have changed since your last deploy. Alternatively, the versions you have pinned may not be compatible with the newer version of Node.js you are using.

Unfortunately, there is no easy solution to this problem. You will need to update your application and its dependencies as needed.

Are third-party buildpacks affected?

Any buildpack that uses a Node.js binary is affected. For this reason, we recommend using our official buildpacks whenever possible. Please contact the maintainer of the third-party buildpacks to request that they are updated to use new versions of Node.js (or fork the buildpack and send a pull request!).